was successfully added to your cart.

Cart

Tag

auditing services Archives - Compliance and Auditing Services

Post Payment Audits

By | Audits | No Comments

Screen-Shot-2013-12-03-at-1.13.23-PMAudits are big business for insurance carriers. For every 2 dollars that insurance companies spend on investigations, they profit $17 dollars in recoveries. In fact, audit and investigation divisions are one of the most profitable divisions for insurance companies.

Even though this doesn’t mean insurance carriers are out to get you, studies show that chiropractors have one of, if not the highest error rate when it comes to documentation.

In other words, insurance companies know chiropractors are bad at documentation and it’s easier to get money from them.

In general, chiropractors assume that as long as insurance carriers and Medicare are paying, they must be billing correctly. This is a very dangerous assumption to make.

Both insurance companies and Medicare collect information on all providers to identify those who fall outside the accepted parameters.

If your claims are coded improperly, you will be held responsible and required to pay back all the payments you received and possibly an additional fine.

The average payout by a practice seeing an average of 70 patient visits per week is $40,000.00 and $800,000.00 in an office seeing an average of 350 patients visits per week.

Because audits can be conducted on any provider that receives payments, and that includes cash practices as well, you can be audited. It’s not a question of if you’ll get audited; it’s a question of when you’ll get audited.

What Triggers an Audit?

Audits can be triggered in several ways, but the two most common are complaints and profiling.

As an example, a doctor contacted me recently for consulting services because a patient submitted a complaint to the board of chiropractic. The board requested the patient’s record for review. Because his documentation was so poor, the board requested five more files to be reviewed by the Department of Healthcare Quality Assurance.

Concerned, he called my office to review the files before submitting them to the board. Unfortunately, his documentation did not support his billing and without going into detail because I’m now working with his attorney, he is facing fines up to $10,000 dollars, the loss of his license, and possible referral for criminal prosecution.

With profiling, insurance companies gather information from claims submissions and then use the information to profile your billing patterns. If your office falls outside accepted parameters, then you get picked out for an audit.

Usually it starts with a request to review a certain number of patient files. Then the auditor reviews the files to determine if your records support the services that you received payment for.

If the records can’t prove the medical necessity of your treatment or support the billing codes, then the auditor will calculate a “percent deficiency,” and then extrapolate that over all the claims paid to you for the past five years.

That will then determine your payback amount and the insurance company sends you a letter demanding you pay them back.

As an example, a doctor called Compliance & Auditing Services for help when he received a request for $400,000 dollars.

Medicare audits can be triggered by a complaint, profiling or even randomly.     Medicare has a policy requiring them to randomly audit doctors’ offices.

The worst-case scenario is to have criminal charges filed against you.

Specific triggers include:

  1. Billing for maintenance care
  2. Overusing CMT code 98941(3-4 regions) or 98942 (5 regions).

   *Payers consider the correct percentage of utilization by chiropractors for CMT codes is:

                                   98940–25%, 98941–60%, 98942–15%*

  1. Excessive use of the E/M codes 99204 and 99205.
  1. Billing massage therapy (97124) with a CMT 98941 or 98942.
  1. Billing manual therapy (97140) with a CMT 98941 or 98942.
  1. Repeatedly billing neuromuscular re-education (97112).
  1. Billing passive therapies beyond the first 12 visits of care.

Being audited doesn’t mean you are guilty, it means you have to prove that you are innocent. So be able to justify your treatment with accurate documentation and evidence-based research.

Take the first steps now, before you get audited, by taking the time to improve your documentation and billing polices.

Start implementing active rehabilitation directed at the improvement of function rather than symptom relief. Most importantly, take compliance seriously.

Though there’s no way to completely avoid an audit, performing internal audits and having a comprehensive compliance program in your office can flag potential problems in billing or coding and avoid costly mistakes.

In fact, federal regulation requires you to do regular audits and to have a documented compliance program in your office.

Signed into law by the Health Care and Education Reconciliation Act of 2010, having an active office compliance program is mandatory. So you don’t have a choice, it’s the law.

Compliance programs must be updated regularly and followed to the letter.

If you haven’t completed an internal audit or developed a comprehensive compliance program, now is the time. Both can be done by outside consultants, or done in-house.

For example, all Compliance & Auditing Services consultants are certified as medical compliance specialists, insurance consultants and certified peer reviewers. Our company can design a compliance program that meets all federal and state regulations for you from scratch and conduct the required internal audits.

So why struggle to be compliant alone when there’s a team of qualified experts ready to give you the personal support you need to protect your office from losing 1000s of dollars to audits.

These are trying times for all doctors and ignoring the new regulations is no longer an option.

 

Dr. John Davenport DCM, CCSP, FIAMA, MCSP, ICI

Chief Compliance Officer Compliance & Auditing Services

The Protected Health Information Cyber Attack Threat

By | Compliance | No Comments

3d rendering of a monit with a chain around it.

Reports of cyber attacks on large corporations such as  Nationwide, JPMorgan Chase and even the Pentagon have been make big news. Yet, every day there are attacks aimed at small to mid-size organizations.

With the increasing use of EHRs, practices are facing increased liability with regard to breaches of protected Health information (ePHI). Hackers know that healthcare providers are less likely to fully protect themselves.

At the same time, increased HIPAA and HITECH security regulations and penalties, for violations, also increase the healthcare providers liability for breaches of ePHI,

Many Doctors simply lack the knowledge and training needed to protect their offices against a cyber attack or meet HIPAA Security Rule requirements.

In this three part series we will discuss simple steps to reduce most major threats to the safety of ePHI. This should be considered basic computer security 101 and not a course on the HIPAA/HITECH rules.

Firewall Protection:

First, unless your practice is totally disconnected from the Internet, it should have a Firewall to protect against threats from outside sources.

Basically, a Firewall is a system that prevents unauthorized access to a private network and works like a filter between your computer network and the Internet. Anything that goes into or out of the network must pass through the firewall.

The firewall examines each message and can be configured to prevent employees from sending certain types of emails or transmitting sensitive data outside of the network.

Additionally, firewalls can be programmed to prevent access to certain websites (like social networking sites) and can prevent outside computers from accessing computers inside your network.

Most computer operating systems come with a firewall installed and firewall software is also available at stores that sell computer products. Both types of firewall software normally provide technical support and guidance for users without the technical savvy.

Anti-virus Protection:

In small offices, attackers compromise computers primarily through viruses, spyware and malware. Computers can become infected by outside sources such as CD- ROMs, e-mail, flash drives, and web downloads. Even a computer that has all  the latest security updates to its operating system and applications can be at risk because of system flaws.

Anti-virus software is used to scan files to identify and eliminate computer viruses andmalicious software. It can also let you know when there has been an attempted threat to your system.

Anti-virus software analysis’s system files to look for known viruses, by means of a virus dictionary, and identifies suspicious behavior that might indicate an infection. Therefore, providing protection against brand-new viruses that do not yet exist in any virus dictionaries.

Without anti-virus software to identify infections, data may be stolen or destroyed. Reliable Anti-virus software is available at most stores that sell computer products, and are relatively inexpensive to buy.

Once you’ve down loaded anti-virus software to your computer, this includes hand held devices, make sure to keep it updated. Anti-virus products require regular updates in order to protect from new computer viruses.

Chained laptop from the frontPasswords:

Passwords are a first line defense in preventing unauthorized access to any computer and should be required to log into your system.  In addition, passwords can be reviewed, using an audit trail log, to see who is accessing specific information and what changes where made to that information.

Passwords can also limit what information individual people have to certain information. This can include certain staff members, your IT contractor, your billing company or anyone who has remote access to your computer system.

Because criminals use special software to try to guess a password, it is important to use strong passwords. A Strong password should:

  • Be at least 8 characters in length
  • Include a combination of upper case and lower case letters, at least one number and at least one special character, such as a punctuation mark
  • Be changed periodically.

You should also have policies in place to remove passwords on staff that leave or are terminated.

An administrator password is used only when you need to make changes or updates to your operating system. This means that anyone with this code can go anywhere and change anything in your system.

To decrease the chance that the administrator password gets stolen, the person in your office authorized to make changes to your system should have a separate user code that is used for daily system access.